Emerging Threat: Akira Ransomware Exploiting SonicWall VPN Zero‑Day Vulnerability

Have you been breached? Speak to our IT Team today for assistance.

In mid‑July 2025, cybersecurity firms began reporting a sharp rise in ransomware deployments linked to the Akira ransomware group, targeting SonicWall SSL VPN devices, particularly the Gen 7 / SMA100 series. Initial access appears to be via a likely zero‑day vulnerability in these appliances — with some devices fully patched yet still compromised, and multi‑factor authentication bypassed. 

This is a serious, evolving threat. In response, we suggest businesses treat SonicWall SSL VPN access as an immediate risk vector and take proactive steps to protect their environments.

‍

‍

‍

What Is Akira Ransomware and Why Is It So Dangerous?

Akira is a Ransomware‑as‑a‑Service (RaaS) operation first observed in March 2023. It has since hit over 250 organizations, including Stanford University, Nissan Australia, and major infrastructure firms, reportedly extorting as much as $42 million USD by April 2024. 

Key Characteristics and Tactics:

• Double‑extortion model: data is exfiltrated, then encrypted. Victims are threatened with public release if ransom isn’t paid. 
• Targets both Windows and Linux (including VMware ESXi); Akira v2, written in Rust, selectively encrypts databases, VM‑related files, and virtual disks for efficiency. 
• Tactics include compromised credentials, public‑facing service exploits (e.g. Cisco ASA vulnerabilities), phishing, credential stuffing, and brute force.

Attack Chain (Typical):

1. Initial access via compromised VPN credentials or zero‑day exploit in SonicWall or Cisco appliances.
2. Execution & discovery using tools like Advanced IP Scanner, Rclone, FileZilla, WinRAR, Cobalt Strike, AnyDesk, etc., to map the network, move laterally, and exfiltrate data. ‍
3. Persistence by creating unauthorized admin accounts.
4. Disabling backups (e.g. deleting shadow copies via PowerShell), disabling AV tools via driver‑based methods, & executing encryption. 
5. Encryption with ransomware variants appending extensions like .akira, .powerranges, or .akiranew, and leaving a ransom note (e.g. akira_readme.txt) with Tor negotiation links. 

Akira is particularly aggressive: it will often wipe backups and destroy recovery capability, rounding out one of the most disruptive ransomware profiles active today. ‍

SonicWall VPN Zero‑Day Exploitation: What We Know

A wave of ransomware incidents in late July 2025 began with unauthorized logins via SonicWall SSL VPN devices. Researchers noted that some affected devices had been fully patched, and MFA was bypassed, supporting the hypothesis of a zero‑day vulnerability. 

• Arctic Wolf traced the surge to around July 15, 2025, with some unauthorized VPN activity dating back to October 2024. 
• Security analysts observed consistent rapid escalation: ransomware encryption followed VPN access within hours. Attackers often used VPS‑hosted networks, not consumer ISPs, suggesting attacker operational security. ‍
• SonicWall and multiple security firms, including Arctic Wolf and Tenable, recommend disabling SSL VPN services until further notice, applying geo‑IP filters, enforcing MFA, and removing unused accounts. 

‍

‍

Proactive Defensive Measures We Suggest

Given the severity and active exploitation, we suggest organisations take the following steps immediately:

1. Temporarily disable SonicWall SSL VPN access - preferably until SonicWall confirms a patch is available.
2. If disabling isn't viable, restrict VPN access to trusted, static IP addresses only.
3. Enforce multi‑factor authentication (MFA) for all VPN access and review recent login patterns closely.
4. Remove dormant or unused user accounts, especially local firewall or VPN credentials.
5. Rotate VPN credentials, ensure password hygiene, and audit account security.
6. Enable Botnet Protection and Geo‑IP filtering to block access from high‑risk regions. 
7. Monitor logs for unusual VPN access methods - especially from VPS IPs, rapid lateral movement, or suspicious post‑login activity.
8. Ensure segmented and offline backup strategies; test restore procedures regularly—since Akira targets backup integrity aggressively.
9. Deploy endpoint detection for tools associated with Akira (e.g. Advanced IP Scanner, WinRAR, FileZilla, AnyDesk, Rclone etc.) and monitor for their execution. 

Lessons From Notable Akira Incidents

One of the most illustrative cases involved a 158‑year‑old UK logistics company (“Knights of Old / KNP”) that collapsed after an Akira breach forced its financial systems offline. The attackers got in via a weak employee password, and no MFA was in place. Despite insurance, the company lost backups, recovery systems, and was unable to sustain operations—resulting in administration and about 700 employees losing their jobs. Ransom demands were estimated in excess of £5 million GBP, an amount the company couldn’t meet. 

This tragedy emphasizes how even longstanding companies with insurance and security awareness can be devastated if basic access controls and MFA aren't enforced. Prevention — not reaction — remains the most effective defense. 

Summary: Why This Matters Now

• Akira ransomware remains one of the top global threats, responsible for hundreds of breaches since early 2023 and tens of millions in extorted funds. ‍
• The ongoing exploitation of SonicWall VPN zero‑day means that even fully patched systems are at risk, with MFA sometimes bypassed.
• The speed of compromise and encryption—from VPN access to ransomware delivery—can be measured in hours, not days.
• Double‑extortion tactics and backup destruction by Akira make recovery extremely difficult without paying ransom.

Final Word

This is not a hypothetical or theoretical risk—it is active, high-severity ransomware exploitation targeting a common remote access platform. Our investigations and peer analysis indicate that Akira may be using an undisclosed zero‑day in SonicWall SSL VPN systems. Until a definitive patch is issued, we suggest treating SonicWall VPN access as an attack surface requiring urgent remediation.

If your organisation uses SonicWall Gen 7 or SMA100 appliances, we strongly encourage you to:

• Disable SSL VPN access or severely restrict it
• Audit user accounts and credentials
• Enforce MFA policies and enhance logging and monitoring
• Ensure your backup strategy is robust and isolated
• Be prepared to respond swiftly to signs of compromise

Should you need help assessing exposure, reviewing logs, or implementing mitigation steps, we’re here to assist. Don’t hesitate to reach out for support—time is of the essence.

If you’d like a shorter executive summary, advice custom‑tailored for specific roles (IT Directors, small‑business owners, security operations), or help with incident response planning, let us know - we can adapt rapidly to support your needs.

Stay safe and vigilant.

Regards,
Sonar IT

‍